I'm trying to use firefox to authenticate to an internal web site. Like *many* internal web sites, this one doesn't have correct reverse DNS so Kerberos doesn't get the right SPN and fails to get a ticket for it.
That doesn't stop it from trying *something*, and screwing up my NTLM auth that would have succeeded....
First it sends a request with no Authorization: header, gets back a 401 with
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Then it sends this:Authorization: Negotiate YIIP1wYGKwYBBQUCoIIPyzCCD8egFjAUBgYrBgEFAgUGCisGAQQBgjcCAgqigg+rBIIPp2CCD6MGBisGAQUCBQUBMBahFAQSR0VSLkNPUlAuSU5URUwuQ09NbIIPfTCCD3mhAwIBBaIDAgEMo4IO/jCCDvowgg4eoQMCAQGigg4VBIIOEW6CDg0wgg4JoAMCAQWhAwIBDqIHAwUAAAAAAKOCDT1hgg05MIINNaADAgEFoRQbEkdFUi5DT1JQLklOVEVMLkNPTaInMCWgAwIBAqEeMBwbBmtyYnRndBsSR0VSLkNPUlAuSU5URUwuQ09No4IM7TCCDOmgAwIBEqEDAgEDooIM2wSCDNfbtGw91WzeppZocKMxPM6j9iV1ywUjWzxqgYrbE+lo/p8ps90ADV7VfCrFV6UJZWJjp8FNVjYpo2MA/Uj+i2jO8nR8RAOOP+iYCrDgWaGKNZsrpZeUdDQo2Iiwf8lGUrz3GG5tG1+ix7qXcngiU5iEr++8T4ArR12LF1SwRePQd0KXGwXALpu1lPg0DwVRlkOHj8RkkSgERb/mIyGzc1CNgLrKFTWqVgEys+LoI7HV/XasehCgrtU/Ep2P/cb3lfa2OYpzu21mEp0XOueEqOcxR3pGo8namZIiLY1glOa5mimJ4rvBC7Y/M9lEiMx3DyDR/ezbeZnHt64O6VoUHRaseYjNPzHFxduwZBgPRQZcplSY+g4lj38zp6TstQ81JfB10w9tMR/x8lw6JjFGXgau+etl7M9wkYx8hVf+YP5JYTiV5p3TTdRAqKSF+0JQQ+qkAGzn4bl7kwT9YzBbzUwx5q4TQKjgtH6Uk1rFFR1J5k+i8qzjptJaymXLYks+fslYEfNjqJsadi6oCji3l0+ZcHQJOYINy7B6TuBdFLe1xwZgzytxOE60znUXE+zEKGX6PUd3aCIU333fc+AcwrEL5KrkW2ieGfck1JGlcgmdI8aIIKG8biJOAWl0YuDuyyIOkSQdTcPpm6VoknUtEGdaaD7hmrlznt9r54DUYkrWdCdtHmlZlRUiNDEJIk6yu4dx1Mypa6WXlUy5N2Y3RUvy6AokMQpzEao8R3k33xskgQVnA/JIR9zAzp3fYVTI+uCQLGwFchLmlOdepXmt297gq0riVHrHIhq9M7rV9mNGuy5gUKiWYR0wSLkBSOovg5V0jigVtaaOUBfsW2mBRPdgyR697vz8GFjxQDc3D7KrK/IdaxNOe74t1oUl6VNXwGLtTAFvnn91WWnaxI2mEJkWXx7X0JlXk5LMIKOyFh0P5bcBCv17Q154q6YNHiLYrEhqMGILdprk+p/a04PDQOwxZisIhGbgamfEHOqWbxU/sPjPaip/EgOtEQrFzvaZ4w75EMFjjN4r9Lqp2yYfOftlWp+jXuHsEiV7bZT+QVsk8/SqYJIt/SKvxRVz04fzljjDgUokK7Ot6EuQrYUpQKR+AZ6KlWpx5mVCOpvvUOkaxrf0F1VvuM1cPdHTROl4quBOvKvGKagWCCfoqdpHDb7M6JM6ORjlzPXDOP6iHjd2Eo2CRYBcq0TZ5tS7Cih8Hy6Hr9S1KQa1ZFTiI0gCGxKJfBtD3W61NYVAP0PPZsNm+ecQlKDNHhO9Gyj2ub06d1PNaE2a1DCONvHvvFYi+lpW4dfX5NDt/udBVxkWmuh1iw2jHuh7u4MQmXNSglUb3CySZGDx7vf/uEZ4M+TRx8sQG1tlLItFiIEC9RC2CWAJHohOK4PykwvFS1/mWagwNRqFCXoC5294Z8ZackvWvsw8vfy0X4HVNP1G3zSt62cQ3PteWuiTJmRe/687xMbsxkiElk9p1PMQYkQ7093CU7OLV/Zp7eh4QoM+/QajOVJRZ+y9VlOLO3GiU0Lt5gEdwa0ewFW/NnvpdxSBEpihAk0jAFCiTjYQRkxKzsynpeZ3VchknuicI62wGiH2SlNgtaGdmByoahWdEQQ6725IcTGvoJh1H/lzwWlDh3QSHXVxf0Km8bOQas35a9Vk7bLObW0kiaKchZgkeVjbpHWNzdNmqYFElj4Itokhtp8yLBdVavRHk0H3tuKUjDMceRruRlCH8d0o48G/C8dsv9uUoWy/jF2/0HxIOelJKtAPDwasUMa+hfbW0aoUBOuco4DkBgzH8YqygBcyCfnp0+NLGqGoe8PWLfV2HDU9DS+22O9oEZ7Zu3sddkS3QhE4B1cTimUFWtfgRGRv3EJj+0U/MKmSBkjh/uZHkQEdcva6dNqXG776qb1i5nTMcmtmdWpquUUzdeTcLtuf+e/+Zl3+oHNcv0+3OuYqtNg6GwsMxu45YdsEQs2F5Q0k2A2uIRwJ0Mh4bT+bP/KaA+lOBspUQc2j3q1UVCoVAL/4QieKEeMcg29sWm7YsQ2k5HEyzC4MhDE5idwTsMcTGf8wyqAXnMmf8i7dDtraYSuUUqogKAdowOyzVtQaBoz2XuiGQ2hhwoo9fjV9oKP6JAyhRC64xQCLeNGDvk0iR7zosaCIE+mz2nbDSCn8YOKmomkBxPVCSnqlqrqItdD2z+ZzhoeQhckkfYMk1jWgnZ6ROnxLnCqj8kIyb2M50igMwq7YMvDIBJWAJAHXoXlSkyUv97YnsfGchD9aJmf9o0Yky35/1cxWaWVk3Bj1nKQVm4Vt8KcaDtIxZ7xAZCx7OlTIJph/d5DLCIeYLuXHRVoMNTqwdoWATjbmY/Ww+DDKCCZuEJ6JocD5IEXrOJADYF5VsClZZQr1UnAtYPNXhyW7eZg6IKcEzE470/daY9TZ3m+1sOMdqOdOActopZ2XS33KLJltIx7WcSJm5BaBVq1PeswB9M8NrHr7jKfyv7jQltR2m3s8XcQpUYdvaO9gAvMqrRbYsu3Lb2abj7TcLo8b44MNYO4YX0kdsIzyxJ6KJczMg4QEch59eOfRRy2IWjHJcBcji58O5hlPIcdKP+WA+THN+GPMhFFa7XGBw/TrVjeAkn1yDoeKkwM2+eeNNj7pOw6tT3Hib1A/EKhkSJoAkKp0RB4tNNYwekEfuDsbvG4EUhk2hGsgXzyuSF1TJu9mKxopBMI/oS1CjzwQPhCMfgNXGFGbfqVSkWeDEYBovsj6+NbJUUJOUXn663P9i45Mg3MAMTAIjyHXBzYd1sZIIqypbFPfzpovA8vKWPkNdKf6wGuEYLY7VVSnNaVzsCtzuL/x2l6thtbIRkrSFlRP1JWoIaw4X7Hj1GTGeoCOZBfnQZT8AnkLVWI0Osj+rRAnxKQVNy6DWPhADrsjA6G+u7ZSCPmRqgC3YBLNq/A2nEjISCcVE9rEW/wTctUJqk3OU0quexffElIyWPSNLvUC3J2xPkBCVSxlCTdpefZzWkU/HAmSKMD+8HbKSVwp+tjSyohUjEEBZ+7yg/3gFZ6cfPcsqp9ScLwNlmbFR3OWJWrhTQpGH8NeanL4cxE7axnlA03Ds5Kw8696vPjI3umsPIdgzds8kNtOlCaN2R58yQ1f+NRQ6Huad3q77shBDgzVIGJyC1RjWrVm2eurVMxfhGe9dKKEizw9w5hYRI8zRfJhR27YA+8nle4ho980BgWQvjXC/lW1IswG4s4GWxN2aR76sBdUUeE1bFwUtfgo5ni2dOcjJttGk0G8T3Ne8oIAoLqhp470P0ny1Ji+WkeEYHE3quFlyT0YsPDAuBmUb265fZFM68+UDNCg6n2GhAPA3Mdf5xbCuzkTWlkqIxQYFf0HUnprH/9c91r9snhnIjx0/YU0LJ/Zqw9yWSPtzC/+KV4yx+K/oEAMoPiFDbdQw3L/KU4VgxeS4dF6+n1ZkzqLUaT1vXFMvXSlvH0yS8YGltFcX5sH9/ng/SgVC5dU+PXnl/VQvwSgH3RksPY/58O8INqsK7KvU/l0B8W06oXg5YatKtJLWUvcTa2ydKbD/gGRLiU6WYMSc8uNG5raPpbs7Zw1w5uJIH8ww+SvAW3SX9LLrm1dfiO4Nyabt9L0680DQlFTAFTJ4k2KewFRI5W2GrlGdPJ4oW8M7ybcdAi99thHuAaTNAuUnJPzjjGJPVWbYw+hIIX/1ss9xVhDdABuwO665feNTQF1PsTLjgdyEyo9gi7hGfNxIu8kYwlTrfH/VEzNQ4jEE0oRQ003Ndytl8T8HcKBwNGLozHiKAozvoJ+bJXqLK4uIAyFB9HkEIk4yxO00NKtL9GyiSgJncT5ZOQwHO27u5WWj6iMrnIEUn00mLM81+Qy9IxVuceI0UMnnYoiv0cLCFkaE9ymt2jYbxK55Oezu0WAAp2QgfNkSJtduTMOOf3l7xLRhbL58MOPJSWCKIk99pZdk4rszh4vtS7MhJRTAf/hVT6c91fIese8eUdRQyk3L4LiBf99Y77cJq7/GmZY/uyJrTpARsQITqgNDYC4pRVUT6pD/sDz1rkGQ/Q5VB0ZdfMmVgeXNO2iPXKe4luj+TK+yfGxCu/AynLjMjFHVFoJvox9G/l1yPXJb74YKJ8CYgJNSD9TrZ6RDlcep7maPdoSpM0UD5q5jsek7tMkmelwf0cnkpIFXg4II7Kt7DTaJBzR9Une8fXnTA58qn20d1QBn7Ss195Q4XvvAbUKn8praovJ4Vg5fAtQCMUkjT6pF3Ro7sD1d4n6TL11c0XrByZWHBqZKrPq+Id3PD1SV1yeFr6x1Z4UNa0Iem49dy67oA5KOOfvNK9t5iC3wmJE+j5Mytc1GMBuV4fuEPmsxpAzcaqlaRy/CinIZoAnD0lH7pSJnKSBsjCBr6ADAgEXooGnBIGkgmnTkGllzZBFGWV3pWc98ZBGjB++DfhR7hrUQkHaqnMfesVwHUK8hQgKsym35KWZy8klVyZB/ge3sUhKJl6a0hzaRsSsNExSh9dghKUPBd0KZ8pZ1oTzj4p7HZyxUVaKURiA7I3z+s3ZCvYDS/vnettKwIqkheHRUfB2lbpGgTDYr4EBtO+VgIaYTTyF3VT9ws2+UrZGODyFl/uiyrk1Q3P/b94wgdWhBAICAIiigcwEgcmggcYwgcOhHDAaoAQCAv92oRIEENADzN17cScXJnKzdJyjGBCigaIwgZ+gAwIBF6KBlwSBlIIMyrP7cBbJSj1HU7FXB6OJ6ma0zfFHMFcbqgkFEFF80jCR3l5dBqowhICpHABMiONBF3otaGqffIwxI7SBvBB3S4M8K8eMC4Qjxqj77+qKqGgd14+bre3ryM1qN58szG+FQIBqAS9dwWpE1LMQsp5Lk+IQLMZ/3NPPjwx6iePRerY5+E/4pjJHkCIXvGdrc0QB2n2kazBpoAcDBQBAgQAAohQbEkdFUi5DT1JQLklOVEVMLkNPTaMgMB6gAwIBA6EXMBUbBEhUVFAbDW90cC5pbnRlbC5jb22lERgPMjAxNDA3MTAwMzE3MDhapwYCBFO9eUSoCzAJAgEXAgEDAgEB
...and gets a 401 back with this:
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
If I 'kdestroy' and try again, authentication works just fine with NTLM (via gss-ntlmssp):
Authorization: Negotiate YFEGBisGAQUFAqBHMEWgDjAMBgorBgEEAYI3AgIKojMEMU5UTE1TU1AAAQAAABWyCKADAAMAIAAAAA4ADgAjAAAAR0VSRFdPT0RIT1UtTElOVVg=
WWW-Authenticate: Negotiate oYIBHDCCARigAwoBAaEMBgorBgEEAYI3AgIKooIBAQSB/k5UTE1TU1AAAgAAAAYABgA4AAAAFYKJor3g82gBoEOnAAAAAAAAAADAAMAAPgAAAAYAchcAAAAPQQBNAFIAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAA
Authorization: Negotiate oYIBhzCCAYOgAwoBAaKCAXoEggF2TlRMTVNTUAADAAAAGAAYAEAAAADsAOwAWAAAAAYABgBEAQAAEAAQAEoBAAAcABwAWgEAAAAAAAB2AQAAFbKJoqmg54V6175b3F8hAp4O98G18JGf7OmnH1KOzKkxo6efI32UX5QveQQBAQAAAAAAAICNRc6Zm88BMnur5cIRXIAAAAAAAgAGAEEATQBSAAEAGABGAE0AUwBQAFMATQBTAE8AVABQADAAMwAEACQAYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0AAwA+AEYATQBTAFAAUwBNAFMATwBUAFAAMAAzAC4AYQBtAHIALgBjAG8AcgBwAC4AaQBuAHQAZQBsAC4AYwBvAG0ABQAcAGMAbwByAHAALgBpAG4AdABlAGwALgBjAG8AbQAHAAgAy44uzpmbzwEAAAAARwBFAFIAZAB3AG8AbwBkAGgAbwB1AEQAVwBPAE8ARABIAE8AVQAtAEwASQBOAFUAWAA=
Quite why firefox doesn't try actual NTLM auth (as opposed to NTLM-in-SPNEGO) after GSSAPI auth fails, I don't know. That should have worked too.

Package krb5-1.11.3-23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.11.3-23.fc19'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-23.fc19
then log in and leave karma (feedback).